From 902755d4e8ca0bfe2fec7d7bcd61997fe51c8595 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Tue, 26 Jul 2016 17:00:01 -0700 Subject: [PATCH] Don't enforce public key compliance You have to trust the public key anyways, so compliance checks are superfluous. --- ct/signatures.go | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/ct/signatures.go b/ct/signatures.go index 600db24..3ea450d 100644 --- a/ct/signatures.go +++ b/ct/signatures.go @@ -3,22 +3,17 @@ package ct import ( "crypto" "crypto/ecdsa" - "crypto/elliptic" "crypto/rsa" "crypto/sha256" "crypto/x509" "encoding/asn1" "encoding/pem" "errors" - "flag" "fmt" "log" "math/big" ) -var allowVerificationWithNonCompliantKeys = flag.Bool("allow_verification_with_non_compliant_keys", false, - "Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962.") - // PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error. func PublicKeyFromPEM(b []byte) (crypto.PublicKey, SHA256Hash, []byte, error) { p, rest := pem.Decode(b) @@ -38,23 +33,7 @@ type SignatureVerifier struct { func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error) { switch pkType := pk.(type) { case *rsa.PublicKey: - if pkType.N.BitLen() < 2048 { - e := fmt.Errorf("public key is RSA with < 2048 bits (size:%d)", pkType.N.BitLen()) - if !(*allowVerificationWithNonCompliantKeys) { - return nil, e - } - log.Printf("WARNING: %v", e) - } case *ecdsa.PublicKey: - params := *(pkType.Params()) - if params != *elliptic.P256().Params() { - e := fmt.Errorf("public is ECDSA, but not on the P256 curve") - if !(*allowVerificationWithNonCompliantKeys) { - return nil, e - } - log.Printf("WARNING: %v", e) - - } default: return nil, fmt.Errorf("Unsupported public key type %v", pkType) }